Analysis
-
max time kernel
105s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 01:41
Static task
static1
Behavioral task
behavioral1
Sample
Inquiry RFQ 33307.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Inquiry RFQ 33307.exe
Resource
win10v2004-20220414-en
General
-
Target
Inquiry RFQ 33307.exe
-
Size
843KB
-
MD5
77a805f8f52ca2ce8865e0b39cd3d9ab
-
SHA1
7994710126438452afa09cf5ccaee14294c00f15
-
SHA256
d55a82ddece8372f6c66dd91b8a02160bdd3a3e34f8df09bcbb44a40c6893827
-
SHA512
4e0a3fe2cb2a3e0093fc277d6a7731eaf897da0fe0c9c00fcf7906c56b428be70aa543304f260c687fa4337f57ca47a6ee25f70e7202ddce83db8b04d57e8056
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.ikrrispharmanetwork.com - Port:
587 - Username:
[email protected] - Password:
Q5Ab{kp_p0?a
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1732-57-0x0000000000360000-0x00000000003AC000-memory.dmp family_agenttesla behavioral1/memory/1732-58-0x0000000000360000-0x00000000003AC000-memory.dmp family_agenttesla -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
Inquiry RFQ 33307.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Inquiry RFQ 33307.exe Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Inquiry RFQ 33307.exe Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Inquiry RFQ 33307.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Inquiry RFQ 33307.exedescription pid process target process PID 864 set thread context of 1732 864 Inquiry RFQ 33307.exe Inquiry RFQ 33307.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
Inquiry RFQ 33307.exeInquiry RFQ 33307.exepid process 864 Inquiry RFQ 33307.exe 1732 Inquiry RFQ 33307.exe 1732 Inquiry RFQ 33307.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
Inquiry RFQ 33307.exepid process 864 Inquiry RFQ 33307.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
Inquiry RFQ 33307.exepid process 1732 Inquiry RFQ 33307.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Inquiry RFQ 33307.exedescription pid process Token: SeDebugPrivilege 1732 Inquiry RFQ 33307.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
Inquiry RFQ 33307.exedescription pid process target process PID 864 wrote to memory of 1732 864 Inquiry RFQ 33307.exe Inquiry RFQ 33307.exe PID 864 wrote to memory of 1732 864 Inquiry RFQ 33307.exe Inquiry RFQ 33307.exe PID 864 wrote to memory of 1732 864 Inquiry RFQ 33307.exe Inquiry RFQ 33307.exe PID 864 wrote to memory of 1732 864 Inquiry RFQ 33307.exe Inquiry RFQ 33307.exe -
outlook_office_path 1 IoCs
Processes:
Inquiry RFQ 33307.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Inquiry RFQ 33307.exe -
outlook_win_path 1 IoCs
Processes:
Inquiry RFQ 33307.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Inquiry RFQ 33307.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Inquiry RFQ 33307.exe"C:\Users\Admin\AppData\Local\Temp\Inquiry RFQ 33307.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:864 -
C:\Users\Admin\AppData\Local\Temp\Inquiry RFQ 33307.exe"C:\Users\Admin\AppData\Local\Temp\Inquiry RFQ 33307.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1732
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/864-54-0x00000000755A1000-0x00000000755A3000-memory.dmpFilesize
8KB
-
memory/864-56-0x0000000000400000-0x00000000004D8000-memory.dmpFilesize
864KB
-
memory/1732-55-0x00000000004A3AF0-mapping.dmp
-
memory/1732-57-0x0000000000360000-0x00000000003AC000-memory.dmpFilesize
304KB
-
memory/1732-58-0x0000000000360000-0x00000000003AC000-memory.dmpFilesize
304KB